TLDR
The ScamVerify™ QR scanner is a free tool that decodes any QR code image and checks the embedded URL against 74,032 URLhaus malicious domains and 60,758 ThreatFox indicators of compromise before you visit the link. Upload a screenshot or photo of a QR code, and the scanner extracts the destination URL, runs it through multiple threat databases, applies AI analysis, and returns a plain-English risk assessment in seconds. The scanner works on standard QR codes, stylized QR codes with logos, and printed or digital QR images. It uses the same URL verification pipeline that powers the ScamVerify website checker.
Why Your Phone Camera Is Not Enough
Your phone camera can decode a QR code and show you a URL preview. That is a useful first step, but it has significant limitations:
| What Your Phone Does | What It Misses |
|---|---|
| Shows the initial URL | Does not check the URL against threat databases |
| Lets you read the domain | Does not detect redirect chains to malicious sites |
| Warns about non-HTTPS sites (sometimes) | Does not identify newly registered phishing domains |
| Shows the URL before you tap | Does not cross-reference with 8 million+ threat records |
The gap between "seeing a URL" and "knowing whether that URL is safe" is where most QR code scams succeed. A URL like parking-payment-austin.com looks plausible at a glance but is not the official Austin parking service. A URL like microsoft-365-verify.com mimics a legitimate Microsoft domain. Without checking against known threat databases, these deceptive domains pass human inspection.
How the ScamVerify QR Scanner Works
The scanning process follows a multi-step pipeline:
Step 1: Image Upload and QR Decoding
You upload a photo or screenshot containing a QR code. The server-side jsQR library decodes the image, extracting the embedded URL. This works on:
- Screenshots of QR codes from emails, messages, or websites
- Camera photos of physical QR codes (parking meters, restaurant tables, flyers)
- Saved images from social media or messaging apps
- Stylized QR codes with custom colors, logos, and rounded modules
The decoding happens server-side, which means the QR code is never opened on your phone. The URL is extracted and analyzed without your device visiting the potentially malicious destination.
Step 2: URL Extraction and Normalization
The scanner extracts the raw URL from the QR code and normalizes it for analysis. This includes resolving URL shorteners, identifying redirect parameters, and extracting the true destination domain.
Step 3: Threat Database Cross-Reference
The extracted URL is checked against multiple threat intelligence sources:
| Database | Records | What It Catches |
|---|---|---|
| URLhaus | 74,032 domains | Active malware distribution sites |
| ThreatFox | 60,758 indicators | Indicators of compromise (IOCs) from active campaigns |
| ScamVerify threat intelligence | 8 million+ records | Patterns from FTC complaints, FCC reports, community reports |
Step 4: AI Analysis
The AI analysis layer evaluates factors that threat databases alone might miss:
- Domain age and registration patterns (newly registered domains are higher risk)
- URL structure analysis (suspicious paths, encoded parameters, brand impersonation in subdomains)
- Content pattern recognition (credential harvesting indicators, payment form red flags)
- Historical similarity to known malicious URLs
Step 5: Risk Assessment
The scanner returns a plain-English risk assessment that includes:
- Risk level (safe, low risk, medium risk, high risk, dangerous)
- Explanation of why the URL received that rating
- Specific threats identified (malware, phishing, credential harvesting, etc.)
- Recommendations for what to do next
Step-by-Step: Using the QR Scanner
Method 1: Screenshot Upload
- See a QR code in an email, message, or on a website
- Take a screenshot on your phone (press Side + Volume Up on iPhone, or Power + Volume Down on Android)
- Go to scamverify.ai/qr-checker
- Upload the screenshot
- Review the risk assessment before taking any action on the QR code
Method 2: Camera Photo Upload
- See a physical QR code (parking meter, restaurant, flyer, poster)
- Take a regular photo with your camera (do NOT scan the QR code with the camera's QR reader)
- Go to scamverify.ai/qr-checker
- Upload the photo
- Review the risk assessment
Method 3: Save and Upload
- Long-press a QR code image on a website or in a message
- Save the image to your photo library
- Go to scamverify.ai/qr-checker
- Upload the saved image
- Review the risk assessment
What the Scanner Catches
The QR scanner has detected the following types of threats in QR code destinations:
Credential Harvesting Sites
Fake login pages mimicking Microsoft 365, Google, bank portals, IRS, Social Security Administration, and other high-value targets. These sites capture usernames, passwords, Social Security numbers, and bank details.
Malware Distribution
URLs that trigger downloads of malicious software, often disguised as "required updates," "security tools," or "document viewers."
Payment Fraud
Fake payment portals that capture credit card information. Common in parking meter QR scams, fake invoice QR codes, and fraudulent "pay here" stickers.
Phishing Redirects
QR codes that link to a legitimate-looking intermediate URL which then redirects to the actual malicious site. The redirect chain makes the initial URL preview appear safe.
Data Collection
Sites that request personal information under false pretexts: "Free Wi-Fi registration," "Event check-in," "Loyalty program signup," or "Survey participation."
How It Connects to Other ScamVerify Tools
The QR scanner is part of the broader ScamVerify threat verification platform:
| Channel | Tool | What It Checks |
|---|---|---|
| QR Code | QR Scanner | QR code destination URLs |
| Website | Website Checker | Any URL against threat databases |
| Phone | Phone Lookup | Phone numbers against FTC/FCC complaint data |
| Text | Text Checker | SMS/text messages for scam patterns |
| Email Checker | Email content, headers, and links | |
| Document | Document Analyzer | Uploaded documents for fraud indicators |
The QR scanner specifically feeds into the URL verification pipeline. When a QR code encodes a URL, that URL goes through the same analysis as a URL entered directly into the website checker. The QR scanner adds the decoding step on top of the existing URL analysis infrastructure.
When to Use the QR Scanner
Use the ScamVerify QR scanner whenever you encounter a QR code that you did not expect or cannot verify through other means:
Always scan these:
- QR codes in unsolicited emails
- QR codes on physical stickers that might be overlays
- QR codes from unknown senders in messages
- QR codes on flyers, posters, or promotional materials from unknown sources
- QR codes that promise something too good to be true (prizes, free items, large discounts)
Lower risk but still worth checking:
- QR codes at new restaurants or businesses you have not visited before
- QR codes on public infrastructure (parking meters, transit stops) where tampering is possible
- QR codes in physical mail from unexpected senders
Generally safe (but verify if anything seems off):
- QR codes in product packaging from a product you purchased
- QR codes at your regular businesses where you have seen the code before
- QR codes generated by apps you trust and installed yourself
FAQ
Is the ScamVerify QR scanner free?
The QR scanner uses your URL verification lookups. Registered free accounts get 5 free lookups. Subscription plans provide additional lookups based on your tier. The teaser result (basic risk assessment) is available without an account.
Does the scanner work on stylized QR codes with logos?
Yes. The jsQR decoder reads the underlying data pattern of the QR code, not the visual appearance. Custom colors, embedded logos, rounded modules, gradients, and other visual customizations do not affect the ability to decode the QR code and extract the destination URL.
What happens to the QR code image I upload?
The image is processed server-side to extract the QR code data, then the URL is analyzed against threat databases. The scanner does not store QR code images beyond what is needed for processing.
Can the scanner detect all malicious QR codes?
No security tool catches 100% of threats. The scanner checks against 74,032 URLhaus domains and 60,758 ThreatFox indicators, plus AI analysis of URL patterns. Brand-new malicious domains that have not yet been reported to threat databases may not be flagged. However, the AI analysis layer evaluates domain age, URL structure, and known attack patterns to catch many newly created threats.
How is this different from just checking the URL in my browser?
The scanner checks the URL before you visit it. When you scan a QR code normally and visit the URL, your browser loads the page and you are exposed to any tracking scripts, drive-by download attempts, or phishing content on that page. The ScamVerify scanner decodes the QR code and checks the URL without your device ever visiting the destination.
